Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

8.3 object oriented NAT/PAT and address pool use.


Since moving to the new object oriented nat syntax - i have encountered problems with using port address translation from many to many.

With many thousands of users behind a firewall all passing traffic from inside to outside, I am required to resort to using a pool of external IP addresses, so as not to run out of sockets.

Bit Torrent and other similar apps can cause a world of mess.

While I can configure port address translation as follows:

object network PRIMARY_OUT

range x.x.x.x x.x.x.x

object-group network INSIDE


nat (any,Primary) source static INSIDE PRIMARY_OUT

While this works there is a single glaring problem that I cannot overcome - irrespective of adding it to the fixup protocol inspection.

When PATing to multiple IP addresses on the outside, PPTP VPNs cease to work.

The only way to overcome this is to PAT to a single overloaded IP address or interface.

Am I doing something wrong? This all worked fine with the old school nat (inside) global (outside) style configuration.

Any help or tips would be warmly received.

  • Firewalling

Re: 8.3 object oriented NAT/PAT and address pool use.


You might try to exempt the VPN from being nat-ed

object-group network VPN

network-object x.x.x.x x.x.x.x

nat (inside,outside) 1 source static INSIDE INSIDE destination static VPN VPN


New Member

8.3 object oriented NAT/PAT and address pool use.

I might be being dim, and I also might have failed to relay my question correctly.

The problem is with users behind the firewall - who are NAT'd getting out the internet, who require to use a PPTP VPN to remote sites beyond our firewalls.

Would your recommendation overcome this issue?

Many thanks.

New Member

8.3 object oriented NAT/PAT and address pool use.

The only way to overcome this might be to carve out some addresses from that NAT range and set up statics for those internal users who require PPTP outbound access.

Check the xlate table and see if the PPTP users are opening multiple sockets when connecting to their VPN peers.

New Member

8.3 object oriented NAT/PAT and address pool use.

Thanks Colin, unfortunately I don't think that this is going to be a scalable solution given the nature of the network and userbase.

Is a PAT pool singularly incompatible with PPTP passthrough because of the dynamic nature of source/dest port allocation? Also why is this possible when overloading to a single IP address, rather than a pool?

Many thanks for your help.